Explore PwC

Cyber: New York regulator moves the goalposts

September 2016

Overview

In early September 2016, the New York State Department of Financial Services (DFS) proposed a broad set of regulations for banks, insurers, and other financial institutions. The proposal is largely consistent with existing guidance, but it goes further in some ways. The most impactful new suggestions are the proposal’s call for enhanced encryption of data of all nonpublic information (including data both “in-transit” and “at-rest”) and improved multi-factor authentication.

Additionally, the proposal will require that the chairperson of the board or a senior officer submit an annual certification that the entity is complying with the regulation’s requirements. Those submitting the certification could potentially be exposed to individual liability if the organization’s cybersecurity program is found to be noncompliant.

As an overview, this paper covers the following:

What does the DFS's proposal require?

Cybersecurity program

Cybersecurity policy

What are the new challenges?

Data encryption

Enhanced multi-factor authentication

Annual certification

Incident reporting

It is clear that regulators across the financial services industry are focused on raising the bar for cybersecurity programs. As a result, we recommend that organizations proactively focus on developing a robust risk-based cybersecurity program rather than reactively responding to siloed regulatory guidance.